On this page
code
Symbol Resolution & Ftrace Hooks
How we locate sys_call_table and intercept syscalls via ftrace
Symbol Resolution
- We spoof a GPL license so the kernel exports
kallsyms_lookup_name():MODULE_LICENSE("GPL"); - At init, we call:This gives us the address of the syscall table.
sys_call_table = (void **)kallsyms_lookup_name("sys_call_table");
Ftrace-Based Hooking
We use ftrace to hook without writing to kernel memory directly.
For each target syscall:
- Define an
ftrace_opswith flags:.func = hook_trampoline, .flags = FTRACE_OPS_FL_SAVE_REGS | FTRACE_OPS_FL_IPMODIFY - Apply the filter:
ftrace_set_filter_ip(&ops, (unsigned long)orig_syscall, 0, 0); register_ftrace_function(&ops); - Our trampoline copies registers, calls
hook_fn(), then jumps back to the original.
Always unregister your ftrace functions in cleanup_module():
unregister_ftrace_function(&ops);
Code Location
rootkit/hook/ftrace_hooks.crootkit/hook/syscall_list.h